• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2021 SUSE LLC <rpalethorpe@suse.com>
4  * Based on reproducer by Nicolai Stange based on PoC Andy Nguyen
5  */
6 /*\
7  * [Description]
8  *
9  * This will reproduce the bug on x86_64 in 32bit compatibility
10  * mode. It is most reliable with KASAN enabled. Otherwise it relies
11  * on the out-of-bounds write corrupting something which leads to a
12  * crash. It will run in other scenarious, but is not a test for the
13  * CVE.
14  *
15  * See https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
16  *
17  * Also below is Nicolai's detailed description of the bug itself.
18  *
19  * The problem underlying CVE-2021-22555 fixed by upstream commit
20  * b29c457a6511 ("netfilter: x_tables: fix compat match/target pad
21  * out-of-bound write") is that the (now removed) padding zeroing code
22  * in xt_compat_target_from_user() had been based on the premise that
23  * the user specified ->u.user.target_size, which will be considered
24  * for the target buffer allocation size, is greater or equal than
25  * what's needed to fit the corresponding xt_target instance's
26  * ->targetsize: if OTOH the user specified ->u.user.target_size is
27  * too small, then the memset() destination address calculated by
28  * adding ->targetsize to the payload start will not point at, but
29  * into or even past the padding. For the table's last entry's target
30  * record, this will result in an out-of-bounds write past the
31  * destination buffer allocated for the converted table. The code
32  * below will create a (compat) table such that the converted table's
33  * calculated size will fit exactly into a slab size of 1024 bytes and
34  * that the memset() in xt_compat_target_from_user() will write past
35  * this slab.
36  *
37  * The table will consist of
38  *  - the mandatory struct compat_ipt_replace header,
39  *  - a single entry consisting of
40  *    - the mandatory compat_ipt_entry header
41  *    - a single 'state' match entry of appropriate size for
42  *      controlling the out-of-bounds write when converting
43  *      the target entry following next,
44  *    - a single 'REJECT' target entry.
45  * The kernel will transform this into a buffer containing (in
46  * this order)
47  * - a xt_table_info
48  * - a single entry consisting of
49  *   - its ipt_entry header
50  *   - a single 'state' match entry
51  *   - followed by a single 'REJECT' target entry.
52  *
53  * The expected sizes for the 'state' match entries as well as the
54  * 'REJECT' target are the size of the base header struct (32 bytes)
55  * plus the size of an unsigned int (4 bytes) each. In the course of
56  * the compat => non-compat conversion, the kernel will insert four
57  * bytes of padding after the unsigned int payload (c.f.  'off'
58  * adjustments via xt_compat_match_offset() and
59  * xt_compat_target_offset() in xt_compat_match_from_user() and
60  * xt_compat_target_from_user() resp.). This code is based on the
61  * premise that the user sets the given ->u.user.match_size or
62  * ->u.user.target_size consistent to the COMPAT_XT_ALIGN()ed payload
63  * size as specified by the corresponding xt_match instance's
64  * ->matchsize or xt_target instance's ->targetsize. That is, the
65  * padding gets inserted unconditionally during the transformation,
66  * independent of the actual values of ->u.user.match_size or
67  * ->u.user.target_size and the result ends up getting layed out with
68  * proper alignment only if said values match the expectations. That's
69  * not a problem in itself, but this unconditional insertion of
70  * padding must be taken into account in the match_size calculation
71  * below.
72  *
73  * For the match_size calculation below, note that the chosen
74  * target slab size is 1024 and that
75  *  - sizeof(xt_table_info) = 64
76  *  - sizeof(ipt_entry) = 112
77  *  - the kernel will insert four bytes of padding
78  *    after the match and target entries each.
79  *  - sizeof(struct xt_entry_target) = 32
80  */
81 
82 #include <netinet/in.h>
83 
84 #include "tst_test.h"
85 #include "tst_safe_net.h"
86 #include "lapi/ip_tables.h"
87 #include "lapi/namespaces_constants.h"
88 
89 static void *buffer;
90 
setup(void)91 void setup(void)
92 {
93 	if (tst_kernel_bits() == 32 || sizeof(long) > 4) {
94 		tst_res(TINFO,
95 			"The vulnerability was only present in 32-bit compat mode");
96 	}
97 
98 	SAFE_TRY_FILE_PRINTF("/proc/sys/user/max_user_namespaces", "%d", 10);
99 
100 	SAFE_UNSHARE(CLONE_NEWUSER);
101 	SAFE_UNSHARE(CLONE_NEWNET);
102 }
103 
run(void)104 void run(void)
105 {
106 	const char *const res_fmt_str =
107 		"setsockopt(%d, IPPROTO_IP, IPT_SO_SET_REPLACE, %p, 1)";
108 	struct ipt_replace *ipt_replace = buffer;
109 	struct ipt_entry *ipt_entry = &ipt_replace->entries[0];
110 	struct xt_entry_match *xt_entry_match =
111 		(struct xt_entry_match *)&ipt_entry->elems[0];
112 	const size_t tgt_size = 32;
113 	const size_t match_size = 1024 - 64 - 112 - 4 - tgt_size - 4;
114 	struct xt_entry_target *xt_entry_tgt =
115 		((struct xt_entry_target *) (&ipt_entry->elems[0] + match_size));
116 	int fd = SAFE_SOCKET(AF_INET, SOCK_DGRAM, 0);
117 	int result;
118 
119 	xt_entry_match->u.user.match_size = (u_int16_t)match_size;
120 	strcpy(xt_entry_match->u.user.name, "state");
121 
122 	xt_entry_tgt->u.user.target_size = (u_int16_t)tgt_size;
123 	strcpy(xt_entry_tgt->u.user.name, "REJECT");
124 
125 	ipt_entry->target_offset =
126 		(__builtin_offsetof(struct ipt_entry, elems) + match_size);
127 	ipt_entry->next_offset = ipt_entry->target_offset + tgt_size;
128 
129 	strcpy(ipt_replace->name, "filter");
130 	ipt_replace->num_entries = 1;
131 	ipt_replace->num_counters = 1;
132 	ipt_replace->size = ipt_entry->next_offset;
133 
134 	TEST(setsockopt(fd, IPPROTO_IP, IPT_SO_SET_REPLACE, buffer, 1));
135 
136 	if (TST_RET == -1 && TST_ERR == ENOPROTOOPT)
137 		tst_brk(TCONF | TTERRNO, res_fmt_str, fd, buffer);
138 
139 	result = (TST_RET == -1 && TST_ERR == EINVAL) ? TPASS : TFAIL;
140 	tst_res(result | TTERRNO, res_fmt_str, fd, buffer);
141 
142 	SAFE_CLOSE(fd);
143 }
144 
145 static struct tst_test test = {
146 	.setup = setup,
147 	.test_all = run,
148 	.taint_check = TST_TAINT_W | TST_TAINT_D,
149 	.forks_child = 1,
150 	.bufs = (struct tst_buffers []) {
151 		{&buffer, .size = 2048},
152 		{},
153 	},
154 	.needs_kconfigs = (const char *[]) {
155 		"CONFIG_NETFILTER_XT_MATCH_STATE",
156 		"CONFIG_IP_NF_TARGET_REJECT",
157 		"CONFIG_USER_NS=y",
158 		"CONFIG_NET_NS=y",
159 		NULL
160 	},
161 	.save_restore = (const char * const[]) {
162 		"?/proc/sys/user/max_user_namespaces",
163 		NULL,
164 	},
165 	.tags = (const struct tst_tag[]) {
166 		{"linux-git", "b29c457a6511"},
167 		{"CVE", "2021-22555"},
168 		{}
169 	}
170 };
171